Posted by J.O. Aho on 02/03/07 08:15

farmanima@gmail.com wrote:
> Is there any way to protect or encrypt passwords typically inserted as
> PHP code at tops of pages to access a MySQL database? So, if anyone
> casually looked at the PHP code could not discern DB usernames and
> passwords to access the database. :( Any explanations or code
> samples to achieve a more secure airtight environment beyond plaintext
> PHP code appendages will do me well.

The best way to protect login and passwords for databases are to place those
in it's own include file, closer to the root of the file system than what the
web server can access.

Say the system you are using has the following directory setup

/home/
username/
html_public/

You have your php scripts in /home/username/html_public

You place your password/login in a file /home/username where the web server
don't look for files (it's usually locked to the html_public directory)


/home/usename/html_public/mysqlfile.php
<?php
required_once('../passwordfile.php');
$link = mysql_connect('localhost', $loginname, $password);
/* and so on ...*/
?>

/home/username/passwordfile.php
<?php
$loginname="your_database_user_name";
$password="your_database_passowrd";
?>

This way, even if there would be a misconfiguration of the web server, the
login and password will never be visible to the internet.


To protect the /home/username/passwordfile.php from read from other users on
the system, you will need to limit the access to the file, you set of course
yourself as the owner of the file, you set the file to belong to the same
group as the web server and give yourself read/write rights, while the group
only has read rights and for anyone else you give no rights at all. (620)

But if you don't feel thats enough, you could use str_rot13 and then your two
files would be:

/home/usename/html_public/mysqlfile.php
<?php
required_once('../passwordfile.php');
$link = mysql_connect('localhost', loginname(), password());
/* and so on ...*/
?>

/home/username/passwordfile.php
<?php
function password() {
return str_rot13('lbhe_qngnonfr_cnffbjeq');
}
function loginname() {
return str_rot13('lbhe_qngnonfr_hfre_anzr');
}
?>

and yes, the login name and password is the same in the both examples.
str_rot13() isn't much for security, but will keep the text unreadable at
first look.

If you have a bad web hotel, your home directory will be the root for your web
pages too, in this case you should pray that your web host uses apache, so
that you can use .htaccess to deny access to a directory (not all web hotels
will enable the usage of .htaccess file), then you will need to create a
directory where you want to have password files and such.

--- .htaccess ---
<Limit GET POST>
order deny,allow
deny from all
</Limit>
--- eof ---

That should keep everyone out, as long as feature to use .htaccess files are
enabled, but now you will be vulnerable for temporarily misconfiguration which
can lead to that php files could be served as plain text.

--

//Aho

[Back to original message]